Since cryptography offers a tight security for people to encode their message to be unreadable by third party, most people are interested in utilizing it in order to keep their privacy. It is expected that unauthorised people can not read it although they can get access for it because as long as they do not have the encryption key, they will not be able to open it unless they use decryption tools. However the tools have limited ability depending on the types of cryptography and the key size. Such tools can not generate decoding all encrypted message because they only work for certain encryption types.

Based on this fact, criminals use cryptography to conceal essential information related to their crime, so that police or forensic investigators can not open and read it. The crime perpetrators can use various types of cryptography and or strong level of key size in order to encode more securely their message, therefore cryptography is one of important concerns for forensic investigators on how to deal with it appropriately in order to solve the crime. It has been common fact that the encrypted message usually contains valuable information, so the forensic investigators are required to extract it. For this task, they have two duties. The first one is to find out files, partitions and emails which are being encrypted, and the second one is to try decrypting it to be readable. This decrypted information might be useful for police to investigate the crime.

Types of Cryptography
Simply cryptography converts a message from plain text to be ciphered text by using a cryptographic algorithm such as DES (Data Encryption Standard), IDEA (International Data Encryption Algorithm), Blowfish, AES (Advanced Encryption Standard) and so on. Generally there are two types of cryptography algorithm, namely symmetric and asymmetric. The clear and significant difference between them is encryption key meaning only one key (i.e. private key) on symmetric and two keys (public and private keys) on asymmetric. Below is the description of both.

Symmetric Cryptography

Initially people used cryptography with one key meaning the key used for encryption is same as the key for decryption. It can be analogized with the door key in real world because people use the same key for locking and unlocking the door. The key in cryptography is mathematical function designed to convert a plain text data to be cipher text data for encryption. With the same algorithm, the ciphered data can be converted to be original text data.

To protect the access in using such algorithm for decrypting a ciphered data, it is used a passphrase key controlling the operation of a cipher, so that the authorized users having known the passphrase key can only perform decryption. It means that although the type of cryptographic algorithm has been detected but the passphrase key is still missing, so the ciphered data can not be decrypted. This key made along with the process of encryption has various key sizes depending on the types of applied cryptography.

One of well known pioneer symmetric cryptographic algorithms is DES which is based on 56-bit block size. It is considered weak at this time because it can be broken by certain attacks such as brute force and cryptanalysis; therefore in 2002 it was superseded by AES using three block ciphers of 128-bit with key sizes of 128, 192 and 256-bit as a cryptography algorithm standard in the US. The other symmetric algorithms which are frequently used are Twofish with 128-bit block and up to 256-bit key size, Blowfish with 64-bit block and various key size between 32 and 448 bits, Serpent with the block size of 128 bits providing 128, 192 or 256-bit key size, CAST5 with 64-bit block size supporting 40 to 128-bit key size and Triple DES which is combination of three 56-bit DES. The algorithms above can also be applied with a combination of two or three algorithms in order to increase the security of cryptography such as AES-Twofish, Serpent-AES and AES-Twofish-Serpent. These combinations have been implemented by certain applications such as TrueCrypt.

Nowadays the forms of using symmetric cryptography is varied and more interesting with a nice Graphical User Interface (GUI) such as Remora USB Disk Guard in figure 1 and PixelCryptor using a picture as a bridge for encryption and decryption, so that it attracts people to use it for their current needs on information security.

Figure 1

Remora USB Disk Guard protected by two types of passwords for logon and encryption/decryption is designed for mobile encryption on USB storage device.

These applications are easy to use and offer challenges such as PixelCryptor which can not be used to decrypt an encrypted package if the linked picture as the image key is missing or modified. To decrypt the encrypted package on PixelCryptor, it is required the image key as well as passphrase key as shown in figure 2. Besides those above, there are still symmetric cryptography applications using ordinary GUI such as Kruptos using 128/256-bit key size of Blowfish, and Blowfish Advanced CS offering various types of algorithm.

Figure 2
PixelCryptor uses an image file as a link to encrypted package as well as passphrase.

The other feature is encrypted volume which is used to store any files or folders to be encrypted by putting it within the volume. Actually the volume is a file which can be mounted as a virtual drive. The files and folders moved to the volume become encrypted automatically, so that it gives an ease for the users to modify the encrypted objects instantly as they want to. Once it is unmounted, all files or folders within the volume will be encrypted and the virtual drive will disappear, on the other hand if it is mounted, all files and folders within the volume will be decrypted. This feature is delivered by TrueCrypt and LockDisk.

Asymmetric Cryptography

Since symmetric is considered as inflexible and insecure in sharing the encryption key among the users, so the asymmetric cryptography is developed. Asymmetric provides two different types of key, namely public key and private key. Public key is designed to be shared to the other people for encrypting a plain text data to be ciphered text data, whereas private key which must be kept securely by the owner is used to decrypt ciphered text data to be plain text data.

This technique is considered secure because a user can distribute his public key to anybody he wants without worrying to be intercepted by third party. Although the encrypted data can be tapped by another people, they can not decrypt it without having the private key. Even the private key can be revoked if the owner considers the key is stolen.

One of common usage of asymmetric cryptography is email. Since people need to secure their email communication from interception by third party, the use of asymmetric cryptography becomes frequent because it is more flexible and secure in distributing public key to be shared to another people than symmetric cryptography.

The asymmetric cryptography algorithm which is often used in encrypted email is PGP (Pretty Good Privacy) providing privacy, authentication and integrity checking over generating public and private key and digital signature. For email encryption, the plug in Enigmail providing OpenPGP can be used along with mail clients such as Mozilla Thunderbird and SeaMonkey as security extension.

OpenPGP Enigmail offers key pairs generation as shown in figure 3 with 4096-bit RSA algorithm which is used widely in e-commerce protocols because it is accepted as one of means providing strong security. It also provides key expiry from only 1 day to no expiry at all and revocation to terminate the private key in the case of it is stolen or missing. Besides RSA, there are other algorithms such as DSA (Digital Signature Algorithm) and El Gamal. DSA is used for digital signature, while EL Gamal is asymmetric cryptography having three components namely key generator, encryption and decryption algorithms.

Through short experiment, it shows that encryption and decryption using OpenPGP Enigmail within Mozilla Thunderbird is quite easy to carry out and reliable for strong security. In this experiment, a sender sends his public key to a recipient. After obtaining a public key, recipient sends an encrypted message using sender’s public key. The encrypted email will be then decrypted by the sender using his private key. If it is intercepted when it is in transit over network, the interceptor will gain an encrypted message as shown in figure 4. He needs sender’s private key to perform decryption of the message as well as passphrase key. Both are required to perform such decryption.

Conclusion

Both cryptography algorithms of symmetric and asymmetric are frequently used nowadays, even by criminals; therefore forensic investigators should know about it and how to deal with it properly. Although it is almos impossible to break a high level of key/block size of an encrypted message, there is still possibility to obtain the encrypted message. For instance when the suspected computer found is still running. It is not necessary to turn off directly because probably there is still an encrypted message or volume which has been decrypted. Even the only access an encrypted drive is when it is running. It means that it is being decrypted.

1 comment:

Well written post. I was not aware that asymmetric cryptography algorithm plays an important role in generation of digital signature and public & private key as well. I will be very thankful to you if shares that algorithm with me..

About Me

I have been working for Indonesian Police Forensic Laboratory Centre (Puslabfor Bareskrim Polri) since 1997. My current job is the Chief of Computer Forensic Sub-Department. I have core duties to handle digital forensic investigation and analysis on electronic and digital evidence. I am the pioneer of developing computer forensic capabilities at Puslabfor Bareskrim Polri which was started in around 2000. Last year, in 2012 I and my team successfully investigated and analyzed 488 items of evidence which came from 81 cases of computer crime and computer-related crime.
In 2012 I wrote a book with the title "Digital Forensic: Practical Guidelines for Forensic Investigation". Its contents is mostly from knowledge and science I got from joining the MSc in Forensic Informatics at the University of Strathclyde, in the UK in 2008/2009 through the Chevening Scholarships. In 2010, the British Council in Indonesia gave me a prestigious award as one of "The Super Six UK Alumni".